sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added persist test, nixvim to flake, user ssh config

This commit is contained in:
Sam 2024-05-25 15:23:00 +00:00
parent 2d0c12a033
commit 486a03ca47
9 changed files with 312 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

262
flake.lock
View File

@ -1,5 +1,27 @@
{ {
"nodes": { "nodes": {
"devshell": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1713532798,
"narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
"owner": "numtide",
"repo": "devshell",
"rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -20,6 +42,112 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1715865404,
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-root": {
"locked": {
"lastModified": 1713493429,
"narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
"owner": "srid",
"repo": "flake-root",
"rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "flake-root",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nixvim",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -40,6 +168,27 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716448020,
"narHash": "sha256-u1ddoBOILtLVX4NYzqSZ9Qaqusql1M4reLd1fs554hY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "25dedb0d52c20448f6a63cc346df1adbd6ef417e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1708968331, "lastModified": 1708968331,
@ -55,6 +204,27 @@
"type": "github" "type": "github"
} }
}, },
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716329735,
"narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -115,6 +285,61 @@
"type": "github" "type": "github"
} }
}, },
"nixvim": {
"inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-root": "flake-root",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1716566815,
"narHash": "sha256-WO3MF4W1SrSD0lanU1n7dfuHizeSLfDHJNEir9exlcM=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "9d858de2e9ab136d1c53d92af62fed8fccf492ab",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixvim",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
@ -123,6 +348,7 @@
"nix-secrets": "nix-secrets", "nix-secrets": "nix-secrets",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nixvim": "nixvim",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
@ -146,6 +372,42 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1715940852,
"narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

9
flake.nix
View File

@ -11,6 +11,15 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# Nixvim
nixvim = {
url = "github:nix-community/nixvim";
# If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
# url = "github:nix-community/nixvim/nixos-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};
# Declarative partitioning and formatting # Declarative partitioning and formatting
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";

1
home/common/core/default.nix
View File

@ -2,5 +2,6 @@
{ {
imports = [ imports = [
./zsh.nix ./zsh.nix
./ssh.nix
] ; ] ;
} }

13
home/common/core/ssh.nix Normal file
View File

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
programs.ssh = {
enable = true;
matchBlocks = {
"git.bitlab21.com" = {
identitiesOnly = true;
identityFile = "~/.ssh/deploy_key-ssh-ed25519";
};
};
};
}

5
home/common/optional/sops.nix
View File

@ -13,9 +13,10 @@ in
sops = { sops = {
age.sshKeyPaths = ["${homeDirectory}/.ssh/id_ed25519"]; age.sshKeyPaths = ["${homeDirectory}/.ssh/id_ed25519"];
defaultSopsFile = "${secretsFile}"; defaultSopsFile = "${secretsFile}";
validateSopsFiles = false; validateSopsFiles = false;
secrets."ssh_keys/deploy_key/id_ed25519" = {
path = "/home/${username}/.ssh/deploy_key-ssh-ed25519";
};
}; };
} }

5
hosts/common/core/sops.nix
View File

@ -1,8 +1,9 @@
{ pkgs, inputs, config, username, ... }: { pkgs, lib, inputs, config, username, ... }:
let let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
hasOptinPersistence = config.environment.persistence ? "/persist";
hostname = config.networking.hostName; hostname = config.networking.hostName;
in in
{ {
@ -15,7 +16,7 @@ in
validateSopsFiles = false; validateSopsFiles = false;
age = { age = {
sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ];
}; };
secrets = { secrets = {
"passwords/root".neededForUsers = true; "passwords/root".neededForUsers = true;

3
hosts/common/optional/openssh.nix
View File

@ -1,6 +1,7 @@
{ lib, config, ... }: { lib, config, ... }:
let let
sshPort = 22; sshPort = 22;
hasOptinPersistence = config.environment.persistence ? "/persist";
in in
{ {
@ -9,7 +10,7 @@ in
ports = [ sshPort ]; ports = [ sshPort ];
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
hostKeys = [{ hostKeys = [{
path = "/persist/etc/ssh/ssh_host_ed25519_key"; path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
type = "ed25519"; type = "ed25519";
}]; }];
settings = { settings = {

27
hosts/common/users/media/default.nix
View File

@ -2,9 +2,10 @@
let let
pubKeys = lib.filesystem.listFilesRecursive (../keys); pubKeys = lib.filesystem.listFilesRecursive (../keys);
hostname = config.networking.hostName; hostname = config.networking.hostName;
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/media".path; sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${user}".path;
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
user = "media";
in in
{ {
@ -23,7 +24,7 @@ in
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; hideMounts = true;
users.media= { users.${user}= {
directories = [ directories = [
"sync" "sync"
"keep" "keep"
@ -39,19 +40,29 @@ in
}; };
}; };
sops.secrets."passwords/media" = { sops.secrets."passwords/${user}" = {
sopsFile = "${secretsFile}"; sopsFile = "${secretsFile}";
neededForUsers = true; neededForUsers = true;
}; };
sops.secrets."ssh_keys/media/id_ed25519" = { sops.secrets."ssh_keys/${user}/id_ed25519" = {
path = "/home/media/.ssh/id_ed25519"; path = "/home/${user}/.ssh/id_ed25519";
mode = "0600";
owner = config.users.users.media.name;
}; };
sops.secrets."ssh_keys/media/id_ed25519.pub" = { sops.secrets."ssh_keys/${user}/id_ed25519.pub" = {
path = "/home/media/.ssh/id_ed25519.pub"; path = "/home/${user}/.ssh/id_ed25519.pub";
mode = "0644";
owner = config.users.users.media.name;
}; };
# # Need to change ownership of the secrets as they are created as root
# system.activationScripts.sopsSetAgeKeyOwnwership = ''
# mkdir -p /home/${user}/.config || true
# chown -R ${user}:users /home/${user}/.config
# '';
services.flatpak.enable = true; services.flatpak.enable = true;
users.users.media = { users.users.media = {
packages = with pkgs; [ packages = with pkgs; [
@ -66,7 +77,7 @@ in
home-manager = { home-manager = {
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = { inherit inputs; };
users = { users = {
media = import ../../../../home/${hostname}.nix; ${user} = import ../../../../home/${hostname}.nix;
}; };
}; };
} }

2
hosts/sparky/default.nix
View File

@ -1,8 +1,6 @@
{ inputs, config, lib, pkgs, outputs,... }: { inputs, config, lib, pkgs, outputs,... }:
let let
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in in
{ {
imports = imports =